apis are critical to security people - first · 2019-03-05 · -libraries-operating systems-remote...
TRANSCRIPT
APIs are critical to security
peoplewhat I learned trying to discover useful APIs
Motivation for that talk
- Working on Incident Response on a daily base
- Wide variety of tools in use
- Very important data is processed by Security people
- Developing / contribute some open source tools
Agenda
- What is an API?
- Why do IR teams need APIs?
- Requirements to an API?
- How I approached it?
- The Good
- The Bad
- The Ugly
- What can you do?
Types of APIs
- Libraries - Operating systems - Remote APIs
- Web APIs
Why do Security people need APIs
- Cyber requires different sources of information to ...
- Not one tool to rule them all
- Different destinations to prevent badness
- (Interact with Systems / devices)
Logs
Sandbox Sandbox Sandbox
Ticket
System
Virustotal Domaintools etc
Logs
Sandbox Sandbox Sandbox
Ticket
System
Virustotal Domaintools etc
API collection / metadata
What is a good API?
Availability of API / interfaces
Documentation
Versioned API
Nothing bugs more than an API endpoint
change that breaks scripts / workflows
Sample data so people can play
Reference implementation
RESTful
Makes it easier for everyone involved
scalable
- API needs to grow
- give feedback of implemented rate limiting
Security built in
- encryption
- logging
- authentication
Pyramide of API
Sample Data
Versions
Documentation
Availability of an API
How I approached it
- Wrote down every tool I used during a day
- Answered following questions- Am I the only one using the tool / database?
- Does the tool has an API?
- Where is the API documentation?
The Good
- Virustotal
- Cuckoo
- New Misp API
The Bad (with reasons)
- MISP (old Api)- API documented, but not 100 % accurate
- manual effort to keep it updated
- no samples for every endpoint available
- Timesketch- Api.py available
- No documentation
- No examples
- But: python api wrapper
The Ugly
- Proxy provider had a public facing site
- Used an public facing API
- was discovered and documented
- was used among security people
- silently very hard rate limiting
https://github.com/deralexxx/security-apis
What can you do?
- make it a hard requirement for - every commercial security tool you
buy
- every security tool you develop
inhouse
- every security tool you contribute to
- contribute to the github
repository- tools you developed
- tools you use
- other tools
- Open issues for tools you use
with the vendor / developer
Q&A
Description
More and more Security tools are introduced in the cyber eco system which
increases the complexity dramatically. To combat that - there are basically
two ways to scale:
a) go for a “one tool to rule them all” approach
b) make use of APIs and connect them
For the option b the first step is to collect all tools that are available and discover
if and what APIs these tools have. During a period of several months, I did
that and open sources that list to github
(https://github.com/deralexxx/security-apis).
Weaponized with that list, it is easier for security folks to do an inventory of their
capabilities as well as requirements for future security tools to
Requirements to an API
- documented- (available for everyone)
- Examples- sample files so it is not mandatory to install tool xyz to write an integration
- sample implementations to interact with the API
- security built in- encryption
- access control
- logging what was accessed
- ...
TODO
API memes